+- CodeIgniter Forums (https://forum.codeigniter.com)
+-- Forum: Using CodeIgniter (https://forum.codeigniter.com/forumdisplay.php?fid=5)
+--- Forum: General Help (https://forum.codeigniter.com/forumdisplay.php?fid=24)
+--- Thread: Need a little help with PHP_AUTH_(USER|PW) (/showthread.php?tid=63209)
Need a little help with PHP_AUTH_(USER|PW) - jLinux - 10-07-2015
So this question is a little more about PHP I guess, than it is specific to CodeIgniter, but I figure theres a bunch of very smart people her, so ill try!
My application will authenticate using the username and password from wherever it can get it from, heres the basic code:
PHP Code:
// First check for any POST credentials..
if( self::$CI->input->post('username') AND self::$CI->input->post('password') )
{
$username = self::$CI->input->post('username');
$password = self::$CI->input->post('password');
}
// For command line purposes, check for HTTP auth credentials, if they
// exist, then set the username and password posts as those values
elseif((isset($_SERVER['PHP_AUTH_USER'])) AND (isset($_SERVER['PHP_AUTH_PW'])))
{
$username = $_SERVER['PHP_AUTH_USER'];
$password = $_SERVER['PHP_AUTH_PW'];
}
So that works perfect when using POST, or when using curl on the command line and specifying the credentials via --user.
What I would also like to have it work with, is when you specify the credentials in the URL via http://user:password@application/.
I put a page with just the phpinfo() output, and when I visit it while specifying the credentials in the URL, it doesn't show that the PHP_AUTH_USER is set.
I also created a page with the following PHP:
PHP Code:
public function http_auth()
{
if( ! isset($_SERVER['PHP_AUTH_USER']))
{
header('HTTP/1.0 401 Unauthorized');
}
echo "Username is " . @$_SERVER['PHP_AUTH_USER'] ?: "Not Set";
echo "<br>Server Auth: " . @$_SERVER['HTTP_AUTHORIZATION']?: "Not Set";
}
and when I visit it with the credentials in the URL, the browser will alert that its logging me in, but PHP/Apache doesnt see it
Screenshot: http://d.pr/i/xRpN
I was wondering if anyone has a way around this? Id just like the users to be able to link directly to pages with the username/password, and have it login, as opposed to redirect them to the login page.
The authentication is done via PHP, not HTTP Basic Auth in Apache
RE: Need a little help with PHP_AUTH_(USER|PW) - mwhitney - 10-08-2015
In the manual discussion of HTTP Authentication, there's a user note regarding a workaround for a missing Authorization header. There are also a few StackOverflow posts about it which tend to eventually come back to this one.
I also missed the following the first time I read through the PHP manual page above (this is in the manual itself, not a user comment):
Quote: In order to prevent someone from writing a script which reveals the password for a page that was authenticated through a traditional external mechanism, the PHP_AUTH variables will not be set if external authentication is enabled for that particular page and safe mode is enabled. Regardless, REMOTE_USER can be used to identify the externally-authenticated user. So, you can use $_SERVER['REMOTE_USER'].
Note: Configuration Note
PHP uses the presence of an AuthType directive to determine whether external authentication is in effect.
RE: Need a little help with PHP_AUTH_(USER|PW) - jLinux - 10-08-2015
(10-08-2015, 06:49 AM)mwhitney Wrote: . There are also a few StackOverflow posts about it which tend to eventually come back to this one.I found that one too, doesn't seem to work though.
(10-08-2015, 06:49 AM)mwhitney Wrote: I also missed the following the first time I read through the PHP manual page above (this is in the manual itself, not a user comment):
Quote: In order to prevent someone from writing a script which reveals the password for a page that was authenticated through a traditional external mechanism, the PHP_AUTH variables will not be set if external authentication is enabled for that particular page and safe mode is enabled. Regardless, REMOTE_USER can be used to identify the externally-authenticated user. So, you can use $_SERVER['REMOTE_USER'].
Note: Configuration Note
PHP uses the presence of an AuthType directive to determine whether external authentication is in effect.
Thats interesting, because when I worked at PayPal, and I had a webpage auth via LDAP, in Apache, I noticed the username and password were stored in plain text in the PHP_AUTH variables, which caused my manager to make me scrap the project.. lol
Ill try some of these suggestions out, but I believe these work by causing the auth prompt to pop up, I was hoping to avoid that
P.S. This is what I tried: http://php.net/manual/en/features.http-auth.php#52405 With no avail
RE: Need a little help with PHP_AUTH_(USER|PW) - mwhitney - 10-08-2015
(10-08-2015, 07:02 AM)jLinux Wrote: P.S. This is what I tried: http://php.net/manual/en/features.http-auth.php#52405 With no avail
That one uses the following:
Code:
RewriteRule .* - [E=REMOTE_USER:%{HTTP:Authorization},L]Try removing the ",L" from the end, since that tells mod_rewrite to stop processing rules. You'll also probably need it to be before any other rewrite rules. You may also need to check for REDIRECT_ variables, depending on your rules and where they are defined.
RE: Need a little help with PHP_AUTH_(USER|PW) - jLinux - 10-08-2015
(10-08-2015, 08:19 AM)mwhitney Wrote:(10-08-2015, 07:02 AM)jLinux Wrote: P.S. This is what I tried: http://php.net/manual/en/features.http-auth.php#52405 With no avail
That one uses the following:
Code:RewriteRule .* - [E=REMOTE_USER:%{HTTP:Authorization},L]
Try removing the ",L" from the end, since that tells mod_rewrite to stop processing rules. You'll also probably need it to be before any other rewrite rules. You may also need to check for REDIRECT_ variables, depending on your rules and where they are defined.
I forgot to say in my other post, but I did try it with and without the L on the end. Also, this is in a separate folder from CodeIgniter, so it has its own .htaccess, so theres no other rules above it. Have you ever tried it? (successfully?)
RE: Need a little help with PHP_AUTH_(USER|PW) - mwhitney - 10-13-2015
I can't really use this type of authentication in my project, so I'm mostly going on the documentation. However, I'm assuming that mod_rewrite is losing the information you're looking for when it rewrites the URL for CodeIgniter (since many of the common rewrite directives used by CI users appear to possibly dump/lose/replace the data when rewriting the URL).
RE: Need a little help with PHP_AUTH_(USER|PW) - jLinux - 10-13-2015
(10-13-2015, 09:51 AM)mwhitney Wrote: I can't really use this type of authentication in my project, so I'm mostly going on the documentation. However, I'm assuming that mod_rewrite is losing the information you're looking for when it rewrites the URL for CodeIgniter (since many of the common rewrite directives used by CI users appear to possibly dump/lose/replace the data when rewriting the URL).
Thats a very good theory, I wouldnt at all be surprised about that.